Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 14:00

Modified

2026-05-02 05:46

Summary

Security fixes for CVE-2025-11579, CVE-2026-1229, CVE-2026-21726, CVE-2026-24051, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-33762, CVE-2026-34040, CVE-2026-34165, CVE-2026-34986, CVE-2026-39882, ghsa-3xc5-wrhm-f963, ghsa-497x-rrr9-68jp, ghsa-6g7g-w4f8-9c9x, ghsa-78h2-9frx-2jm8, ghsa-9h8m-3fm2-qjrq, ghsa-fw7p-63qq-7hpr, ghsa-gm2x-2g9h-ccm8, ghsa-jhf3-xxhw-2wpp, ghsa-jqcq-xjh3-6g23, ghsa-p77j-4mvh-x3m3, ghsa-q9hv-hpm4-hj6x, ghsa-rwvp-r38j-9rgg, ghsa-w8rr-5gcm-pp58, ghsa-x6gf-mpr2-68h6, ghsa-xmrv-pmrh-hhx2 applied in versions: 1.12.1-r2, 1.14.2-r1, 1.14.2-r2, 1.14.2.r0

Details

Multiple security vulnerabilities affect the grafana-alloy-fips package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-11579	WEB
	https://osv.dev/vulnerability/CVE-2026-1229	WEB
	https://osv.dev/vulnerability/CVE-2026-21726	WEB
	https://osv.dev/vulnerability/CVE-2026-24051	WEB
	https://osv.dev/vulnerability/CVE-2026-25679	WEB
	https://osv.dev/vulnerability/CVE-2026-27139	WEB
	https://osv.dev/vulnerability/CVE-2026-27142	WEB
	https://osv.dev/vulnerability/CVE-2026-33186	WEB
	https://osv.dev/vulnerability/CVE-2026-33762	WEB
	https://osv.dev/vulnerability/CVE-2026-34040	WEB
	https://osv.dev/vulnerability/CVE-2026-34165	WEB
	https://osv.dev/vulnerability/CVE-2026-34986	WEB
	https://osv.dev/vulnerability/CVE-2026-39882	WEB
	https://osv.dev/vulnerability/ghsa-3xc5-wrhm-f963	WEB
	https://osv.dev/vulnerability/ghsa-497x-rrr9-68jp	WEB
	https://osv.dev/vulnerability/ghsa-6g7g-w4f8-9c9x	WEB
	https://osv.dev/vulnerability/ghsa-78h2-9frx-2jm8	WEB
	https://osv.dev/vulnerability/ghsa-9h8m-3fm2-qjrq	WEB
	https://osv.dev/vulnerability/ghsa-fw7p-63qq-7hpr	WEB
	https://osv.dev/vulnerability/ghsa-gm2x-2g9h-ccm8	WEB
	https://osv.dev/vulnerability/ghsa-jhf3-xxhw-2wpp	WEB
	https://osv.dev/vulnerability/ghsa-jqcq-xjh3-6g23	WEB
	https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3	WEB
	https://osv.dev/vulnerability/ghsa-q9hv-hpm4-hj6x	WEB
	https://osv.dev/vulnerability/ghsa-rwvp-r38j-9rgg	WEB
	https://osv.dev/vulnerability/ghsa-w8rr-5gcm-pp58	WEB
	https://osv.dev/vulnerability/ghsa-x6gf-mpr2-68h6	WEB
	https://osv.dev/vulnerability/ghsa-xmrv-pmrh-hhx2	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-11579	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-21726	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24051	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25679	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27139	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27142	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33186	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33762	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34040	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34165	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34986	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-39882	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "grafana-alloy-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2.r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the grafana-alloy-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-ET12387",
  "modified": "2026-05-02T05:46:50Z",
  "published": "2026-05-18T14:00:36.431238Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-ET12387.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-11579"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-21726"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24051"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33762"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34040"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34165"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34986"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-39882"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3xc5-wrhm-f963"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-497x-rrr9-68jp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-6g7g-w4f8-9c9x"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-78h2-9frx-2jm8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9h8m-3fm2-qjrq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fw7p-63qq-7hpr"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-gm2x-2g9h-ccm8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jhf3-xxhw-2wpp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jqcq-xjh3-6g23"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q9hv-hpm4-hj6x"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-rwvp-r38j-9rgg"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w8rr-5gcm-pp58"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-x6gf-mpr2-68h6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xmrv-pmrh-hhx2"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11579"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21726"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33762"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34040"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34165"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39882"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-11579, CVE-2026-1229, CVE-2026-21726, CVE-2026-24051, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-33762, CVE-2026-34040, CVE-2026-34165, CVE-2026-34986, CVE-2026-39882, ghsa-3xc5-wrhm-f963, ghsa-497x-rrr9-68jp, ghsa-6g7g-w4f8-9c9x, ghsa-78h2-9frx-2jm8, ghsa-9h8m-3fm2-qjrq, ghsa-fw7p-63qq-7hpr, ghsa-gm2x-2g9h-ccm8, ghsa-jhf3-xxhw-2wpp, ghsa-jqcq-xjh3-6g23, ghsa-p77j-4mvh-x3m3, ghsa-q9hv-hpm4-hj6x, ghsa-rwvp-r38j-9rgg, ghsa-w8rr-5gcm-pp58, ghsa-x6gf-mpr2-68h6, ghsa-xmrv-pmrh-hhx2 applied in versions: 1.12.1-r2, 1.14.2-r1, 1.14.2-r2, 1.14.2.r0",
  "upstream": [
    "CVE-2025-11579",
    "CVE-2026-1229",
    "CVE-2026-21726",
    "CVE-2026-24051",
    "CVE-2026-25679",
    "CVE-2026-27139",
    "CVE-2026-27142",
    "CVE-2026-33186",
    "CVE-2026-33762",
    "CVE-2026-34040",
    "CVE-2026-34165",
    "CVE-2026-34986",
    "CVE-2026-39882",
    "ghsa-3xc5-wrhm-f963",
    "ghsa-497x-rrr9-68jp",
    "ghsa-6g7g-w4f8-9c9x",
    "ghsa-78h2-9frx-2jm8",
    "ghsa-9h8m-3fm2-qjrq",
    "ghsa-fw7p-63qq-7hpr",
    "ghsa-gm2x-2g9h-ccm8",
    "ghsa-jhf3-xxhw-2wpp",
    "ghsa-jqcq-xjh3-6g23",
    "ghsa-p77j-4mvh-x3m3",
    "ghsa-q9hv-hpm4-hj6x",
    "ghsa-rwvp-r38j-9rgg",
    "ghsa-w8rr-5gcm-pp58",
    "ghsa-x6gf-mpr2-68h6",
    "ghsa-xmrv-pmrh-hhx2"
  ]
}

CVE-2025-11579 (GCVE-0-2025-11579)

Vulnerability from cvelistv5 – Published: 2025-10-10 11:15 – Updated: 2025-12-02 09:30

Title

DoS via Out Of Memory Crash

Summary

github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-789 - Memory Allocation with Excessive Size Value

Assigner

Mattermost

References

1 reference

URL	Tags
https://github.com/nwaples/rardecode/commit/52fb4…

Impacted products

1 product

Vendor	Product	Version
nwaples	rardecode	Affected: 2.0.1 , ≤ 2.1.1 (semver) Unaffected: 2.2.0

Credits

Juho Forsén

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11579",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-10T12:40:54.486493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-10T12:41:22.168Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "rardecode",
          "vendor": "nwaples",
          "versions": [
            {
              "lessThanOrEqual": "2.1.1",
              "status": "affected",
              "version": "2.0.1",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2.2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Juho Fors\u00e9n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "github.com/nwaples/rardecode versions \u0026lt;=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash."
            }
          ],
          "value": "github.com/nwaples/rardecode versions \u003c=2.1.1 fail to restrict the dictionary size when reading\u00a0large RAR\u00a0dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-02T09:30:03.452Z",
        "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "shortName": "Mattermost"
      },
      "references": [
        {
          "url": "https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to github.com/nwaples/rardecode v2.2.0 or higher"
            }
          ],
          "value": "Update to\u00a0github.com/nwaples/rardecode v2.2.0 or higher"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "DoS via Out Of Memory Crash",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
    "assignerShortName": "Mattermost",
    "cveId": "CVE-2025-11579",
    "datePublished": "2025-10-10T11:15:15.163Z",
    "dateReserved": "2025-10-10T09:12:41.410Z",
    "dateUpdated": "2025-12-02T09:30:03.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1229 (GCVE-0-2026-1229)

Vulnerability from cvelistv5 – Published: 2026-02-24 07:58 – Updated: 2026-02-24 15:10

Title

Incorrect calculation in CIRCL secp384r1 CombinedMult

Summary

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Severity ?

2.9 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

CWE

CWE-682 - Incorrect Calculation

Assigner

cloudflare

References

1 reference

URL	Tags
https://github.com/cloudflare/circl

Impacted products

1 product

Vendor	Product	Version
Cloudflare	CIRCL	Affected: CIRCL up to version 1.6.2 , < 1.6.3 (custom)

Credits

Guido Vranken

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1229",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T15:04:09.395394Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T15:10:21.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Go"
          ],
          "product": "CIRCL",
          "repo": "https://github.com/cloudflare/circl",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "1.6.3",
              "status": "affected",
              "version": "CIRCL up to version 1.6.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Guido Vranken"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThe CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\u003cbr\u003eECDH and ECDSA signing relying on this curve are not affected.\u003c/p\u003e\u003cp\u003eThe bug was fixed in \u003cstrong\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/circl/releases/tag/v1.6.3\"\u003ev1.6.3\u003c/a\u003e\u003c/strong\u003e.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 ."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-682",
              "description": "CWE-682 Incorrect Calculation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T07:58:54.406Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/circl"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Incorrect calculation in CIRCL secp384r1 CombinedMult",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-1229",
    "datePublished": "2026-02-24T07:58:54.406Z",
    "dateReserved": "2026-01-20T13:09:57.206Z",
    "dateUpdated": "2026-02-24T15:10:21.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21726 (GCVE-0-2026-21726)

Vulnerability from cvelistv5 – Published: 2026-04-15 19:24 – Updated: 2026-05-13 19:28

Title

Loki Path Traversal - CVE-2021-36156 Bypass

Summary

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GRAFANA

References

1 reference

URL	Tags
https://grafana.com/security/security-advisories/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Grafana	Loki	Affected: 2.3.0 , < 3.5.9 (semver)

Date Public ?

2026-04-15 19:20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-15T20:01:24.769436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T18:58:17.749Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "OnPrem"
          ],
          "product": "Loki",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "3.5.9",
              "status": "affected",
              "version": "2.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-04-15T19:20:00.780Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T19:28:29.093Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21726"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Loki Path Traversal - CVE-2021-36156 Bypass",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21726",
    "datePublished": "2026-04-15T19:24:31.268Z",
    "dateReserved": "2026-01-05T09:26:06.215Z",
    "dateUpdated": "2026-05-13T19:28:29.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24051 (GCVE-0-2026-24051)

Vulnerability from cvelistv5 – Published: 2026-02-02 19:49 – Updated: 2026-02-03 14:54

Title

OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-426 - Untrusted Search Path

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
open-telemetry	opentelemetry-go	Affected: >= 1.21.0, < 1.40.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24051",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T14:53:50.389773Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T14:54:41.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.21.0, \u003c 1.40.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T19:49:10.038Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"
        }
      ],
      "source": {
        "advisory": "GHSA-9h8m-3fm2-qjrq",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24051",
    "datePublished": "2026-02-02T19:49:10.038Z",
    "dateReserved": "2026-01-20T22:30:11.778Z",
    "dateUpdated": "2026-02-03T14:54:41.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25679 (GCVE-0-2026-25679)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-10 13:37

Title

Incorrect parsing of IPv6 host literals in net/url

Summary

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/752180
https://go.dev/issue/77578
https://groups.google.com/g/golang-announce/c/Edh…
https://pkg.go.dev/vuln/GO-2026-4601

Impacted products

1 product

Vendor	Product	Version
Go standard library	net/url	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T13:36:26.554241Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T13:37:02.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/url",
          "product": "net/url",
          "programRoutines": [
            {
              "name": "parseHost"
            },
            {
              "name": "JoinPath"
            },
            {
              "name": "Parse"
            },
            {
              "name": "ParseRequestURI"
            },
            {
              "name": "URL.Parse"
            },
            {
              "name": "URL.UnmarshalBinary"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.211Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/752180"
        },
        {
          "url": "https://go.dev/issue/77578"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4601"
        }
      ],
      "title": "Incorrect parsing of IPv6 host literals in net/url"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-25679",
    "datePublished": "2026-03-06T21:28:14.211Z",
    "dateReserved": "2026-02-05T01:33:41.943Z",
    "dateUpdated": "2026-03-10T13:37:02.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27139 (GCVE-0-2026-27139)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-09 14:53

Title

FileInfo can escape from a Root in os

Summary

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Severity ?

2.5 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-363 - Race Condition Enabling Link Following

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/Edh…
https://go.dev/issue/77827
https://go.dev/cl/749480
https://pkg.go.dev/vuln/GO-2026-4602

Impacted products

1 product

Vendor	Product	Version
Go standard library	os	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Credits

Miloslav Trmač of Red Hat

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.5,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T14:53:55.467850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T14:53:58.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "os",
          "product": "os",
          "programRoutines": [
            {
              "name": "File.ReadDir"
            },
            {
              "name": "File.Readdir"
            },
            {
              "name": "ReadDir"
            },
            {
              "name": "dirFS.ReadDir"
            },
            {
              "name": "rootFS.ReadDir"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Miloslav Trma\u010d of Red Hat"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-363: Race Condition Enabling Link Following",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.451Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77827"
        },
        {
          "url": "https://go.dev/cl/749480"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4602"
        }
      ],
      "title": "FileInfo can escape from a Root in os"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27139",
    "datePublished": "2026-03-06T21:28:14.451Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-09T14:53:58.363Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27142 (GCVE-0-2026-27142)

Vulnerability from cvelistv5 – Published: 2026-03-06 21:28 – Updated: 2026-03-16 15:21

Title

URLs in meta content attribute actions are not escaped in html/template

Summary

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

4 references

URL	Tags
https://groups.google.com/g/golang-announce/c/Edh…
https://go.dev/issue/77954
https://go.dev/cl/752081
https://pkg.go.dev/vuln/GO-2026-4603

Impacted products

1 product

Vendor	Product	Version
Go standard library	html/template	Affected: 0 , < 1.25.8 (semver) Affected: 1.26.0-0 , < 1.26.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T15:21:11.058826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T15:21:14.465Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "html/template",
          "product": "html/template",
          "programRoutines": [
            {
              "name": "tTag"
            },
            {
              "name": "escaper.escapeAction"
            },
            {
              "name": "Template.Execute"
            },
            {
              "name": "Template.ExecuteTemplate"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.1",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T21:28:14.674Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
        },
        {
          "url": "https://go.dev/issue/77954"
        },
        {
          "url": "https://go.dev/cl/752081"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4603"
        }
      ],
      "title": "URLs in meta content attribute actions are not escaped in html/template"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-27142",
    "datePublished": "2026-03-06T21:28:14.674Z",
    "dateReserved": "2026-02-17T19:57:28.435Z",
    "dateUpdated": "2026-03-16T15:21:14.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33186 (GCVE-0-2026-33186)

Vulnerability from cvelistv5 – Published: 2026-03-20 22:23 – Updated: 2026-03-24 18:09

Title

gRPC-Go has an authorization bypass via missing leading slash in :path

Summary

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/grpc/grpc-go/security/advisori…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
grpc	grpc-go	Affected: < 1.79.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33186",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T18:08:38.989284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T18:09:13.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grpc-go",
          "vendor": "grpc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.79.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T22:23:32.147Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
        }
      ],
      "source": {
        "advisory": "GHSA-p77j-4mvh-x3m3",
        "discovery": "UNKNOWN"
      },
      "title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33186",
    "datePublished": "2026-03-20T22:23:32.147Z",
    "dateReserved": "2026-03-17T22:16:36.720Z",
    "dateUpdated": "2026-03-24T18:09:13.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33762 (GCVE-0-2026-33762)

Vulnerability from cvelistv5 – Published: 2026-03-31 13:47 – Updated: 2026-03-31 18:53

Title

go-git: Missing validation decoding Index v4 files leads to panic

Summary

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

Severity ?

2.8 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-129 - Improper Validation of Array Index

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/go-git/go-git/security/advisor…	x_refsource_CONFIRM
https://github.com/go-git/go-git/releases/tag/v5.17.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
go-git	go-git	Affected: < 5.17.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:50:26.187250Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T18:53:08.221Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go-git",
          "vendor": "go-git",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.17.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git\u2019s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 2.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-129",
              "description": "CWE-129: Improper Validation of Array Index",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T13:47:42.378Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8"
        },
        {
          "name": "https://github.com/go-git/go-git/releases/tag/v5.17.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"
        }
      ],
      "source": {
        "advisory": "GHSA-gm2x-2g9h-ccm8",
        "discovery": "UNKNOWN"
      },
      "title": "go-git: Missing validation decoding Index v4 files leads to panic"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33762",
    "datePublished": "2026-03-31T13:47:42.378Z",
    "dateReserved": "2026-03-23T18:30:14.126Z",
    "dateUpdated": "2026-03-31T18:53:08.221Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34040 (GCVE-0-2026-34040)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:36 – Updated: 2026-04-02 03:55

Title

Moby: AuthZ plugin bypass with oversized request body

Summary

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/moby/moby/security/advisories/…	x_refsource_CONFIRM
https://github.com/moby/moby/releases/tag/docker-…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	moby	Affected: < 29.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T03:55:56.676Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moby",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 29.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T01:36:48.205Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2"
        },
        {
          "name": "https://github.com/moby/moby/releases/tag/docker-v29.3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/releases/tag/docker-v29.3.1"
        }
      ],
      "source": {
        "advisory": "GHSA-x744-4wpc-v9h2",
        "discovery": "UNKNOWN"
      },
      "title": "Moby: AuthZ plugin bypass with oversized request body"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34040",
    "datePublished": "2026-03-31T01:36:48.205Z",
    "dateReserved": "2026-03-25T15:29:04.744Z",
    "dateUpdated": "2026-04-02T03:55:56.676Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2025-11579 (GCVE-0-2025-11579)

CVE-2026-1229 (GCVE-0-2026-1229)

CVE-2026-21726 (GCVE-0-2026-21726)

CVE-2026-24051 (GCVE-0-2026-24051)

CVE-2026-25679 (GCVE-0-2026-25679)

CVE-2026-27139 (GCVE-0-2026-27139)

CVE-2026-27142 (GCVE-0-2026-27142)

CVE-2026-33186 (GCVE-0-2026-33186)

CVE-2026-33762 (GCVE-0-2026-33762)

CVE-2026-34040 (GCVE-0-2026-34040)

Tags

Sightings

Nomenclature